Is it possible to associate a secondary email address with an existing public key?

Question

For example, if I have a friend's public key that's associated with, say, email address john@domain.com, but I want to send him a message at john@other.net, is there a sensible way to do this? Is there a way to permanently associate john@other.net with the original public key?

I realize I could manually encrypt from the command-line (via the original email handle) and subsequently email that content, but I'm looking for something 'usable' that would properly integrate with my email client and other standard GPG/PGP tools.

I also realize it's possible to add a secondary uid/email address to a key you own, but neither is that what I'm looking for.

You should mention which client software you're using. Some clients could be able to do this. — Jens Erat, Apr 25 '13 at 16:50
At present I'm using Evolution, but I was hoping for a solution (like the one below) that is "agnostic". I did notice that the Thunderbird GPG plugin (Enigmail) has functionality for associating secondary addresses... But I'm not a big fan of that client. :) — Chris W., Apr 26 '13 at 17:42
Related question: [How do I manage multiple e-mail addresses with GnuPG?](https://superuser.com/questions/1017749/how-do-i-manage-multiple-e-mail-addresses-with-gnupg) — vhs, Aug 02 '22 at 00:31

score 7 · Accepted Answer · edited Oct 12 '18 at 03:17

7

You can add aliases to ~/.gnupg/gpg.conf by abusing "groups":

group john@other.net = fingerprint-of-john@domain.com

In new versions of Evolution (tested with 3.22.6) the recipient is passed to gpg including angle brackets. Those must be added when defining the group:

group <john@other.net> = fingerprint-of-john@domain.com

Docs here: GPG Key related Options

edited Oct 12 '18 at 03:17

Alexander Senier

3
3

answered Apr 25 '13 at 17:27

u1686_grawity

426,297
64
894
966

@Ramhound: No. The names and addresses you give to GPG when creating an OpenPGP cert are only ever used as *labels* for that cert, and as *hints* for senders which cert to choose for which recipient. The owner can add multiple such labels to a single cert (I've seen people add their ICQ UINs instead of email addresses), and multiple cryptographic keypairs too (in fact, almost all certs have two keypairs: one for signing, one for encryption)... – u1686_grawity Apr 25 '13 at 21:46
1

@Ramhound: ... Those have no relation other than being in the same cert, and they have no relation to the delivery method used. If I encrypt something with `gpg -r grawity@gmail.com`, there is absolutely nothing that would require me to actually *send* it by email to that address: it can be sent to a different address, sent over Usenet or XMPP or IRC or Twitter, pastebinned, or even printed and sent by post. Thus the `group` option only tells GnuPG which cert to use for a given `-r`. – u1686_grawity Apr 25 '13 at 21:48
On emacs, `(setq epg--configurations nil)` to reset the cache if it's not reading from `~/.gnupg/gpg.conf` properly. Just spent two hours on this – Sandra Aug 18 '22 at 11:38

score 2 · Answer 2 · answered Sep 22 '13 at 06:28

Actually, Simon is wrong. You can add new user IDs and revoke old ones on an existing key. Attempting to masquerade as others aside, it would achieve very little to prevent this type of modification since the worst that can happen is that someone receives an encrypted message that they cannot decrypt. At which point they would discover that someone is playing games.

However, if a key has been signed by a third party and then a second UID is added to the key, the previous signatures are not applied to the new UID. You can actually see evidence of this on my key (0x321E4E2373590E5D) because I added two UIDs to my current key earlier this year.

Grawity's recommendation of using group lines is the quick and easy way around the UID disparity issue, especially when the other party either doesn't know how to update their key or doesn't care.

score 0 · Answer 3 · answered Apr 25 '13 at 16:00

0

No, a key pair (public and private) can not be changed after they were created. If the keys are for john@domain.com then that's it.

The reason for that is that the owner of the e-mail address has to be authenticated before a key pair is issued. If you could change the address after, you could pretend to be someone else and that would make the whole process useless.

If you make your own key pair you can add more than one e-mail address, but such keys can not be authenticated by others (they have to trust you)

answered Apr 25 '13 at 16:00

Simon

3,943
2
24
40

1

Be careful with putting trust in the e-mail-address. E-mail addresses tend to change over time and could be reoccupied; and not everybody is checking the e-mail addresses (and eg. directly uploading signatures to keyservers). – Jens Erat Apr 25 '13 at 16:49
3

The *email addresses* (UIDs) and the *key pairs* are stored separately in OpenPGP "keys", so the first sentence is not very correct. – u1686_grawity Apr 25 '13 at 17:29

Is it possible to associate a secondary email address with an existing *public* key?

3 Answers3

Is it possible to associate a secondary email address with an existing public key?